Gain Top-Notch InfoSec Skills at SANS Las Vegas 2018. Save $400 thru 12/6.

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #2

January 6, 2017

TOP OF THE NEWS

FTC Suing D-Link Over Unsecure Routers and Cameras
FTC Announces IoT Security Challenge
Android January Update Fixes 90 Flaws
Android Had the Most Detected Vulnerabilities in 2016

THE REST OF THE WEEK'S NEWS

MM Core Backdoor Reemerges With Two New Variants
Kaspersky Updates Antivirus Products to Fix Certificate Collision Issue
Unprotected MongoDB Installations Targeted in Malware Attacks
California Ransomware Bill Goes Into Effect
Software Update Causes Problems for Some U.S. Customs and Border Patrol Systems
Not All Federal Agency Websites Have Met HTTPS Migration Deadline

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER


*********************** Sponsored By Sophos Inc. *************************

With ransomware making headlines for all of the wrong reasons, the pressure is on to put together a top of the line defense. Starting from scratch can be tough, so check out this Anti-Ransomware Hub and get resources to help you better understand the threat and choose the best possible security solution. Learn More: http://www.sans.org/info/191272

***************************************************************************

TRAINING UPDATE

--SANS Brussels Winter 2017 | Brussels, Belgium | Jan 16-21, 2017 | https://www.sans.org/event/brussels-winter-2017

--Cloud Security Summit & Training | San Francisco, CA | Jan 17-19, 2017 | https://www.sans.org/event/cloud-security-summit-2017

--SANS Las Vegas 2017 | Las Vegas, NV | January 23-30, 2017 | https://www.sans.org/event/las-vegas-2017

--Cyber Threat Intelligence Summit & Training | Arlington, VA | Jan 25-Feb 1, 2017 | https://www.sans.org/event/cyber-threat-intelligence-summit-2017

--SANS Southern California - Anaheim 2017 | Anaheim, CA |February 6-11, 2017 | https://www.sans.org/event/anaheim-2017

--SANS Munich Winter 2017 | Munich, Germany | February 13-18, 2017 | https://www.sans.org/event/munich-winter-2017

--SANS Secure Japan 2017 | Tokyo, Japan | February 13-25, 2017 | https://www.sans.org/event/secure-japan-2017

--SANS Secure Singapore 2017 | Singapore, Singapore | March 13-25, 2017 | https://www.sans.org/event/secure-singapore-2017

--SANS Pen Test Austin 2017 | March 27-April 1 | https://www.sans.org/event/pentest2017

--SANS Online Training: Get an iPad Pro, Samsung Galaxy Tab S2, or $500 off with all OnDemand (https://www.sans.org/ondemand/specials) and vLive (https://www.sans.org/vlive/specials) courses now.

--Single Course Training SANS Mentor https://www.sans.org/mentor/about Community SANS https://www.sans.org/community/ View the full SANS course catalog https://www.sans.org/find-training/

***************************************************************************

TOP OF THE NEWS

FTC Suing D-Link Over Unsecure Routers and Cameras (January 5, 2017)

The U.S. Federal Trade Commission (FTC) has initiated legal action against D-Link for "fail
[ing ]
to take steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access." The security issues could be exploited to steal information and to spy on consumers.


[Editor Comments ]



[Pescatore ]
Two things are good to see here: (1) The FTC firing a shot across the bow of the consumer router vendors; and (2) the FTC focused on the fact that D-Link actually made claims of high levels of security while failing to provide basic levels of security in their products and processes. Home users are trying to get more secure against attacks (a recent Johns Hopkins University/University of Maryland survey showed this in a big way) and vendors have started to talk the talk about security. It is very good to see the FTC remind them that they need to walk the walk, too - and increase security *before* increasing marketing about security.


[Williams ]
Most in the press are reporting this story incorrectly. The FTC isn't bringing a product liability case because D-Link built insecure products. The FTC is suing because D-Link made material claims about the security of their products, which they reasonably should have known were untrue. Had D-Link made no claims about the security features of their devices, the FTC would likely have no case.


[Paller ]
Jake Williams is correct; many companies have avoided FTC scrutiny by removing claims of ensuring customer privacy from their published privacy policies. Manufacturers of home products won't be able to do that, however, as John Pescatore notes, because if they don't make marketing claims that their products are secure, their sales will increasingly suffer. Kudos to the FTC.


[Northcutt ]
This is actually the only way companies will practice due diligence. Cybersecurity is very similar to safety and with IOT it will only become more so. This starts to set case law for far more scary concepts like automobiles that can be hacked from a thousand miles away.


-http://fortune.com/2016/01/26/security-experts-hack-cars/


-https://www.wired.com/2016/03/fbi-warns-car-hacking-real-risk/

Read more in:

Ars Technica: Unsecure routers, webcams prompt feds to sue D-Link
-http://arstechnica.com/tech-policy/2017/01/unsecure-routers-webcams-prompt-feds-
to-sue-d-link/


Computerworld: FTC goes after D-Link for shoddy security in routers, cameras
-http://computerworld.com/article/3155090/security/ftc-goes-after-d-link-for-shod
dy-security-in-routers-cameras.html


The Hill: Feds allege security flaws in D-Link routers, cameras
-http://thehill.com/policy/cybersecurity/312897-ftc-files-complaint-against-d-lin
k-routers-cameras


FTC Complaint:
-http://arstechnica.com/wp-content/uploads/2017/01/ftcdlinkcomplaint.pdf

FTC Announces IoT Security Challenge (January 4, 2017)

The US Federal Trade Commission (FTC) is holding a contest that will award a prize of up to USD 25,000 for the best technical solution to Internet of Things (IoT) security for home networks. The tool could be a physical device that connects to a home network and checks for updates for other connected IoT devices; it could also be an app, a cloud-based service, or a user interface. Registration forms will be available on or about March 1, 2017. The deadline for submissions is May 22, 2017; winners will be announced at the end of July 2017.


[Editor Comments ]



[Murray ]
While one wants home appliances to be resistant to outside interference and contamination, the bigger problem is devices that are directly addressable from the Internet, devices that can be co-opted into bot-nets and used in denial of service and brute force attacks.

Read more in:

KrebsOnSecurity: The FTC's Internet of Things (IoT) Challenge
-https://krebsonsecurity.com/2017/01/the-ftcs-internet-of-things-iot-challenge/

Dark Reading: FTC Launches Contest For Technology Tool To Protect Home IoT Devices
-http://www.darkreading.com/vulnerabilities---threats/ftc-launches-contest-for-te
chnology-tool-to-protect-home-iot-devices/d/d-id/1327831?


FTC: IoT Home Inspector Challenge
-https://www.ftc.gov/iot-home-inspector-challenge

Android January Update Fixes 90 Flaws (January 5, 2017)

Google's first security update for Android in 2017 includes fixes for 90 vulnerabilities. Of those, 29 are rated critical. The update includes fixes for issues in the Android mediaserver component, Qualcomm components, and the Linux kernel.


[Editor Comments ]



[Ullrich ]
The most significant vulnerability in this patch is a remote code execution vulnerability in Android's media server. These bugs have become known as "stagefright" vulnerabilities, named after the affected library. Google has been patching this library for a few years now, and exploits have been released for past "stagefright" flaws.


[Paller ]
It may be useful to point out that the fact that Google issued fixes to Android in no way means that people who use Android are now protected. A complex supply chain from Google to end users may take weeks, months or forever before the protections are in place.

Read more in:

eWeek: Google Patches Android For 90 Vulnerabilities in January Update
-http://www.eweek.com/security/google-patches-android-for-90-vulnerabilities-in-j
anuary-update.html

Android Had the Most Detected Vulnerabilities in 2016 (January 4, 2017)

Google's Android operating system had 523 discovered vulnerabilities in 2016, making it the product with the most discovered flaws last year, according to the CVE Details website. Debian Linux and Ubuntu Linux came in second and third, with 319 and 278 flaws, respectively. Adobe Flash Player placed fourth with 266 vulnerabilities.


[Editor Comments ]



[Pescatore ]
For 2015, Apple MacOS and Iphone OS were the products with the most CVEs listed, and now in 2016 we see Android with the most vulnerabilities listed, yet over 2015 and 2016 the number of successful exploits against Mac, iPhone and Android devices was very low, even though large numbers of very high value targets use all of those products. Mechanisms like the Apple App Store and Google Play have greatly increased the difficulty for real world exploits to cause meaningful damage. Conversely, Adobe Flash and Acrobat products occupied 4 of the top 10 CVE slots in both 2015 and 2016 with many successful exploits on Windows platforms where whitelist/application control mechanisms are rarely in use.

Read more in:

SC Magazine: Data: More vulnerabilities found in Google Android than any other program in 2016
-https://www.scmagazine.com/data-more-vulnerabilities-found-in-google-android-tha
n-any-other-program-in-2016/article/629642/



*************************** SPONSORED LINKS ********************************

1) Don't Miss: "Hunting with Cyber Deception and Incident Response Automation" Register: http://www.sans.org/info/191277

2) WhatWorks Webcast: "Using Cisco Stealthwatch to Increase Security By Enhancing Critical Security Control Performance" Register: http://www.sans.org/info/191282

3) Looking for a solution to your security issue? Visit the SANS Affiliate Directory for a list of vendors who may be able to help! http://www.sans.org/info/191287

******************************************************************************

THE REST OF THE WEEK'S NEWS

MM Core Backdoor Reemerges With Two New Variants (January 5, 2017)

Two new variants of the MM Core backdoor malware have surfaced. Known as BigBoss and SillyGoose, they are based on the MM Core backdoor, which was first detected in 2013 and has been dormant since then. BigBoss is believed to have been used in attacks since mid-2015; SillyGoose has been used in attacks starting in September 2016.


[Editor Comments ]



[Williams ]
This article mentions that the core code of the backdoor remains unchanged. The attackers simply changed file names and mutexes. That the new variants remained undetected says that we are not forcing attackers to move far enough up the pyramid of pain (
-http://blog.sqrrl.com/a-framework-for-threat-hunting-part-1-the-pyramid-of-pain)
.

This story also highlights the value of deep binary analysis skills, which can help create IOCs based on the core code.

Read more in:

The Register: Spy code dormant for three years resurfaces in two new variants
-http://www.theregister.co.uk/2017/01/05/backdoor_returns/

Forcepoint: MM Core In-Memory Backdoor Returns as "BigBoss" and "SillyGoose"
-https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigbo
ss-and-sillygoose

Kaspersky Updates Antivirus Products to Fix Certificate Collision Issue (January 4, 2017)

Google's Project Zero alerted Kaspersky Lab to a problem in its antivirus products that left users open to traffic interception attacks through SSL/TLS certificate collisions. The issue was in Kaspersky's SSL/TLS traffic inspection feature; Kaspersky was using just the first 32 bits of an MD5 hash in its SSL proxy. Kaspersky has updated affected products.


[Editor Comments ]



[Ullrich ]
Inspecting SSL encrypted traffic has become a requirement for security solutions. But in the process, organizations often weaken the SSL certificate verification. Without proper certificate validation, SSL does not provide confidentiality. Kaspersky isn't the first company to have difficulties implementing this correctly.

Read more in:

The Register: Kaspersky fixing serious certificate slip
-http://www.theregister.co.uk/2017/01/04/kaspersky_fixing_serious_certificate_sli
p/


ZDNet: Project Zero calls out Kaspersky AV for SSL interception practices
-http://www.zdnet.com/article/project-zero-calls-out-kaspersky-av-for-ssl-interce
ption-practices/



Computerworld: Kaspersky antivirus exposed used to traffic-interception attacks
-http://computerworld.com/article/3154612/security/kaspersky-antivirus-exposed-us
ers-to-traffic-interception-attacks.html

Unprotected MongoDB Installations Targeted in Malware Attacks (January 4 & 5, 2017)

Unprotected MongoDB installations are being hit with ransomware attacks. The perpetrators delete the data from the database and post a message demanding payment in bitcoin. The number of attacks is growing, and in some cases, the data from the databases are being destroyed so even when the ransom is paid, the data are not returned. Users running unsecured versions of MongoDB are urged to update the software and implement authentication.


[Editor Comments ]



[Williams ]
While MongoDB is in the news right now, don't forget we had an article about rsync in NewsBites earlier this week. We still also find open memcached installations. Good software inventories, change control processes, and continuous vulnerability assessment will help organizations face the MongoDB challenges and challenges yet to be discovered.

Read more in:

SC Magazine: MongoDB databases under attack worldwide
-https://www.scmagazine.com/mongodb-databases-under-attack-worldwide/article/6296
01/


The Register: Web-exposed MongoDB installs wiped by bitcoin ransoming script scum
-http://www.theregister.co.uk/2017/01/04/mongodb_installs_wiped_by_bitcoin_ransom
ing_script/


Threatpost: Attacks on MongoDB Rise as Hijackings Continue
-https://threatpost.com/attacks-on-mongodb-rise-as-hijackings-continue/122887/

California Ransomware Bill Goes Into Effect (January 3 & 4, 2017)

A new law that took effect in California on January 1, 2017 punishes conviction of distributing ransomware with a prison sentence of up to four years. In the past, ransomware cases were tried under existing extortion statutes. According to the bill's sponsor, California State Senator Bob Hertzberg, "This legislation provides prosecutors the clarity they need to charge and convict perpetrators of ransomware."

Read more in:

SC Magazine: Ransomware crime bill goes into effect in California
-https://www.scmagazine.com/ransomware-crime-bill-goes-into-effect-in-california/
article/629451/


Ars Technica: Watch out hackers: Deploying ransomware is now a crime in California
-http://arstechnica.com/tech-policy/2017/01/watch-out-hackers-deploying-ransomwar
e-is-now-a-crime-in-california/


California Senate: Gov. Brown Signs Legislation Punishing Ransomware
-http://sd18.senate.ca.gov/news/9272016-gov-brown-signs-legislation-punishing-ran
somware

Software Update Causes Problems for Some U.S. Customs and Border Patrol Systems (January 3 & 5, 2017)

A problematic software update caused systems used by the U.S. Customs and Border Patrol to be offline for four hours on January 2, 2017, causing travel delays. The affected systems are used to process incoming international travelers at airports. Due to the outage, incoming travelers were processed using backup systems, which took considerably longer. National security database checks were unaffected.

Read more in:

FCW: Buggy software update crashes CBP airport systems
-https://fcw.com/articles/2017/01/03/cbp-outage-rockwell.aspx

FedScoop: Customs outage from software update disrupts travel into the U.S.
-http://fedscoop.com/customs-computer-outage-disrupts-travel-for-thousands

Not All Federal Agency Websites Have Met HTTPS Migration Deadline (January 3, 2017)

Roughly 30 percent of federal government agency websites have not yet implemented HTTPS. The Office of Management and Budget (OMB) mandated that "all publicly accessible federal websites and web services" transition to HTTPS by December 31, 2016. Agencies were instructed to prioritize domains that are used to exchange sensitive data or that receive large volumes of traffic.

Read more in:

FCW: 3 in 10 agency websites miss OMB deadline to migrate to HTTPS
-https://fcw.com/articles/2017/01/03/secure-site-standard-gunter.aspx

INTERNET STORM CENTER TECH CORNER

Removing "Ransom Ware" From Android Based LG TVs
-https://www.youtube.com/watch?v=0WZ4uLFTHEE

libpng Patches 30 Year Old Bug
-http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&
;m=slackware-security.567619

Kaspersky Antivirus SSL Interception Vulnerability
-https://bugs.chromium.org/p/project-zero/issues/detail?id=978

Thunderbird Update Fixes Critical Vulnerability
-https://www.mozilla.org/en-US/security/advisories/mfsa2016-96/

GRE Packets May Be Related To Linux Kernel Bug
-http://www.openwall.com/lists/oss-security/2016/10/13/11

Insecure MongoDB Instances Hit By Fake Ransomware
-https://twitter.com/0xDUDE

Android Security Update
-https://source.android.com/security/bulletin/2017-01-01.html

Identifying WordPress Websites on Local Networks
-https://www.netsparker.com/blog/web-security/bruteforce-wordpress-local-networks
-xshm-attack/

Google.com.br DNS Hijack
-https://www.linkedin.com/pulse/googlecombr-hacked-renato-marinho

Attackers Use Stolen Passwords To Take Over Spreadshirt.com Accounts.
-https://www.heise.de/security/meldung/Angriff-auf-Spreadshirt-Konten-3589579.htm
l

(sorry, only in German)

Ransomware Adding DDoS Component
-https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a
-ddos-component/

Old Malware Returning in Targeted Attacks
-https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigbo
ss-and-sillygoose



***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board